From b1fcfb28a4d1b7ddf9b393b697d76256cc52f760 Mon Sep 17 00:00:00 2001 From: Ting Liu Date: Thu, 16 Jun 2016 17:07:46 +0800 Subject: linux-qoriq: upgrade to 4.1 The main features are: * Linux kernel 4.1.8 * ARM A7 (AARCH32), A53 and A57 (AARCH64), Little Endian (default) * Power Architecture e500mc, e5500, e6500 * Multicore SMP support and multithread (e6500) * 32-bit effective kernel addressing [e500mc, e5500, A57] * 64-bit effective addressing [e6500, A53, A57] * Huge Pages (hugetlbfs) * Linux Real-Time (RT) [P4080, B4860, LS1021A] * Kernel-based Virtual Machine (KVM) * Libvirt 1.2.19 * Linux Containers (LXC) 1.1.4 function support Detailed commit log can be found at: http://git.freescale.com/git/cgit.cgi/ppc/sdk/linux.git/log/?h=sdk-v2.0.x Signed-off-by: Ting Liu --- .../0001-powerpc-Align-TOC-to-256-bytes.patch | 37 ------ .../files/module-remove-MODULE_GENERIC_TABLE.patch | 77 ----------- .../linux/files/net-sctp-CVE-2014-0101.patch | 145 --------------------- recipes-kernel/linux/linux-qoriq_3.12.bb | 59 --------- recipes-kernel/linux/linux-qoriq_4.1.bb | 56 ++++++++ 5 files changed, 56 insertions(+), 318 deletions(-) delete mode 100644 recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch delete mode 100644 recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch delete mode 100644 recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch delete mode 100644 recipes-kernel/linux/linux-qoriq_3.12.bb create mode 100644 recipes-kernel/linux/linux-qoriq_4.1.bb diff --git a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch b/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch deleted file mode 100644 index 2131c9d..0000000 --- a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 7d4d16a6ccdd6d965b84284262a67d5b63426d50 Mon Sep 17 00:00:00 2001 -From: Zhenhua Luo -Date: Mon, 9 Nov 2015 04:36:29 -0600 -Subject: [PATCH] powerpc: Align TOC to 256 bytes - -Recent toolchains(gcc-5.2) force the TOC to be 256 byte aligned. We need -to enforce this alignment in our linker script, otherwise pointers -to our TOC variables (__toc_start, __prom_init_toc_start) could -be incorrect. - -If they are bad, we die a few hundred instructions into boot. - -Upstream-Status: Backport - -Backport from https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5e95235 - -Signed-off-by: Zhenhua Luo ---- - arch/powerpc/kernel/vmlinux.lds.S | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S -index f096e72..3266864 100644 ---- a/arch/powerpc/kernel/vmlinux.lds.S -+++ b/arch/powerpc/kernel/vmlinux.lds.S -@@ -213,6 +213,8 @@ SECTIONS - *(.opd) - } - -+ . = ALIGN(256); -+ - .got : AT(ADDR(.got) - LOAD_OFFSET) { - __toc_start = .; - #ifndef CONFIG_RELOCATABLE --- -2.3.3 - diff --git a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch b/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch deleted file mode 100644 index 5a67155..0000000 --- a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch +++ /dev/null @@ -1,77 +0,0 @@ -module: remove MODULE_GENERIC_TABLE - -MODULE_DEVICE_TABLE() calles MODULE_GENERIC_TABLE(); make it do the -work directly. This also removes a wart introduced in the last patch, -where the alias is defined to be an unknown struct type "struct -type##__##name##_device_id" instead of "struct type##_device_id" (it's -an extern so GCC doesn't care, but it's wrong). - -The other user of MODULE_GENERIC_TABLE (ISAPNP_CARD_TABLE) is unused, -so delete it. - - - -Signed-off-by: Rusty Russell -Signed-off-by: Zhenhua Luo - -Upstream-Status: Backport ---- - include/linux/isapnp.h | 4 ---- - include/linux/module.h | 19 ++++++++----------- - 2 files changed, 8 insertions(+), 15 deletions(-) - -diff --git a/include/linux/isapnp.h b/include/linux/isapnp.h -index e2d28b0..3c77bf9 100644 ---- a/include/linux/isapnp.h -+++ b/include/linux/isapnp.h -@@ -56,10 +56,6 @@ - #define ISAPNP_DEVICE_ID(_va, _vb, _vc, _function) \ - { .vendor = ISAPNP_VENDOR(_va, _vb, _vc), .function = ISAPNP_FUNCTION(_function) } - --/* export used IDs outside module */ --#define ISAPNP_CARD_TABLE(name) \ -- MODULE_GENERIC_TABLE(isapnp_card, name) -- - struct isapnp_card_id { - unsigned long driver_data; /* data private to the driver */ - unsigned short card_vendor, card_device; -diff --git a/include/linux/module.h b/include/linux/module.h -index 54aef1b..a9f6812 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -83,15 +83,6 @@ void sort_extable(struct exception_table_entry *start, - void sort_main_extable(void); - void trim_init_extable(struct module *m); - --#ifdef MODULE --#define MODULE_GENERIC_TABLE(gtype,name) \ --extern const struct gtype##_id __mod_##gtype##_table \ -- __attribute__ ((unused, alias(__stringify(name)))) -- --#else /* !MODULE */ --#define MODULE_GENERIC_TABLE(gtype,name) --#endif -- - /* Generic info of form tag = "info" */ - #define MODULE_INFO(tag, info) __MODULE_INFO(tag, tag, info) - -@@ -142,8 +133,14 @@ extern const struct gtype##_id __mod_##gtype##_table \ - /* What your module does. */ - #define MODULE_DESCRIPTION(_description) MODULE_INFO(description, _description) - --#define MODULE_DEVICE_TABLE(type,name) \ -- MODULE_GENERIC_TABLE(type##__##name##_device, name) -+#ifdef MODULE -+/* Creates an alias so file2alias.c can find device table. */ -+#define MODULE_DEVICE_TABLE(type, name) \ -+ extern const struct type##_device_id __mod_##type##__##name##_device_table \ -+ __attribute__ ((unused, alias(__stringify(name)))) -+#else /* !MODULE */ -+#define MODULE_DEVICE_TABLE(type, name) -+#endif - - /* Version of form [:][-]. - Or for CVS/RCS ID version, everything but the number is stripped. --- -2.5.0 - diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch deleted file mode 100644 index ddcb6c5..0000000 --- a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Mon, 3 Mar 2014 17:23:04 +0100 -Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is - AUTH capable - -[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ] - -RFC4895 introduced AUTH chunks for SCTP; during the SCTP -handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS -being optional though): - - ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> - <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - -A special case is when an endpoint requires COOKIE-ECHO -chunks to be authenticated: - - ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> - <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- - ------------------ AUTH; COOKIE-ECHO ----------------> - <-------------------- COOKIE-ACK --------------------- - -RFC4895, section 6.3. Receiving Authenticated Chunks says: - - The receiver MUST use the HMAC algorithm indicated in - the HMAC Identifier field. If this algorithm was not - specified by the receiver in the HMAC-ALGO parameter in - the INIT or INIT-ACK chunk during association setup, the - AUTH chunk and all the chunks after it MUST be discarded - and an ERROR chunk SHOULD be sent with the error cause - defined in Section 4.1. [...] If no endpoint pair shared - key has been configured for that Shared Key Identifier, - all authenticated chunks MUST be silently discarded. [...] - - When an endpoint requires COOKIE-ECHO chunks to be - authenticated, some special procedures have to be followed - because the reception of a COOKIE-ECHO chunk might result - in the creation of an SCTP association. If a packet arrives - containing an AUTH chunk as a first chunk, a COOKIE-ECHO - chunk as the second chunk, and possibly more chunks after - them, and the receiver does not have an STCB for that - packet, then authentication is based on the contents of - the COOKIE-ECHO chunk. In this situation, the receiver MUST - authenticate the chunks in the packet by using the RANDOM - parameters, CHUNKS parameters and HMAC_ALGO parameters - obtained from the COOKIE-ECHO chunk, and possibly a local - shared secret as inputs to the authentication procedure - specified in Section 6.3. If authentication fails, then - the packet is discarded. If the authentication is successful, - the COOKIE-ECHO and all the chunks after the COOKIE-ECHO - MUST be processed. If the receiver has an STCB, it MUST - process the AUTH chunk as described above using the STCB - from the existing association to authenticate the - COOKIE-ECHO chunk and all the chunks after it. [...] - -Commit bbd0d59809f9 introduced the possibility to receive -and verification of AUTH chunk, including the edge case for -authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, -the function sctp_sf_do_5_1D_ce() handles processing, -unpacks and creates a new association if it passed sanity -checks and also tests for authentication chunks being -present. After a new association has been processed, it -invokes sctp_process_init() on the new association and -walks through the parameter list it received from the INIT -chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO -and SCTP_PARAM_CHUNKS, and copies them into asoc->peer -meta data (peer_random, peer_hmacs, peer_chunks) in case -sysctl -w net.sctp.auth_enable=1 is set. If in INIT's -SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, -peer_random != NULL and peer_hmacs != NULL the peer is to be -assumed asoc->peer.auth_capable=1, in any other case -asoc->peer.auth_capable=0. - -Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is -available, we set up a fake auth chunk and pass that on to -sctp_sf_authenticate(), which at latest in -sctp_auth_calculate_hmac() reliably dereferences a NULL pointer -at position 0..0008 when setting up the crypto key in -crypto_hash_setkey() by using asoc->asoc_shared_key that is -NULL as condition key_id == asoc->active_key_id is true if -the AUTH chunk was injected correctly from remote. This -happens no matter what net.sctp.auth_enable sysctl says. - -The fix is to check for net->sctp.auth_enable and for -asoc->peer.auth_capable before doing any operations like -sctp_sf_authenticate() as no key is activated in -sctp_auth_asoc_init_active_key() for each case. - -Now as RFC4895 section 6.3 states that if the used HMAC-ALGO -passed from the INIT chunk was not used in the AUTH chunk, we -SHOULD send an error; however in this case it would be better -to just silently discard such a maliciously prepared handshake -as we didn't even receive a parameter at all. Also, as our -endpoint has no shared key configured, section 6.3 says that -MUST silently discard, which we are doing from now onwards. - -Before calling sctp_sf_pdiscard(), we need not only to free -the association, but also the chunk->auth_chunk skb, as -commit bbd0d59809f9 created a skb clone in that case. - -I have tested this locally by using netfilter's nfqueue and -re-injecting packets into the local stack after maliciously -modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) -and the SCTP packet containing the COOKIE_ECHO (injecting -AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. - -This fixes CVE-2014-0101 -Upstream-Status: Backport - -Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") -Signed-off-by: Daniel Borkmann -Cc: Vlad Yasevich -Cc: Neil Horman -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - net/sctp/sm_statefuns.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index dfe3f36..56ebe71 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, - return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); - } - -+ /* Make sure that we and the peer are AUTH capable */ -+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { -+ kfree_skb(chunk->auth_chunk); -+ sctp_association_free(new_asoc); -+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); -+ } -+ - /* set-up our fake chunk so that we can process it */ - auth.skb = chunk->auth_chunk; - auth.asoc = chunk->asoc; --- -1.9.1 - diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb deleted file mode 100644 index 533225d..0000000 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ /dev/null @@ -1,59 +0,0 @@ -inherit kernel kernel-arch qoriq_build_64bit_kernel -require recipes-kernel/linux/linux-dtb.inc - -DESCRIPTION = "Linux kernel for Freescale platforms" -SECTION = "kernel" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" - -SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \ - file://modify-defconfig-t1040-nr-cpus.patch \ - file://net-sctp-CVE-2014-0101.patch \ - file://0001-powerpc-Align-TOC-to-256-bytes.patch \ - file://fix-the-compile-issue-under-gcc6.patch \ - file://module-remove-MODULE_GENERIC_TABLE.patch \ -" -SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813" - -KSRC ?= "" -S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}' - -DEPENDS_append = " libgcc" -# not put Images into /boot of rootfs, install kernel-image if needed -RDEPENDS_kernel-base = "" - -KERNEL_CC_append = " ${TOOLCHAIN_OPTIONS}" -KERNEL_LD_append = " ${TOOLCHAIN_OPTIONS}" - -SCMVERSION ?= "y" -DELTA_KERNEL_DEFCONFIG ?= "" -do_configure_prepend() { - # copy desired defconfig so we pick it up for the real kernel_do_configure - cp ${KERNEL_DEFCONFIG} ${B}/.config - - # add config fragments - for deltacfg in ${DELTA_KERNEL_DEFCONFIG}; do - if [ -f "${deltacfg}" ]; then - ${S}/scripts/kconfig/merge_config.sh -m .config ${deltacfg} - elif [ -f "${WORKDIR}/${deltacfg}" ]; then - ${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg} - elif [ -f "${S}/arch/${ARCH}/configs/${deltacfg}" ]; then - ${S}/scripts/kconfig/merge_config.sh -m .config \ - ${S}/arch/powerpc/configs/${deltacfg} - fi - done - - #add git revision to the local version - if [ "${SCMVERSION}" = "y" ]; then - # append sdk version if SDK_VERSION is defined - sdkversion='' - if [ -n "${SDK_VERSION}" ]; then - sdkversion="-${SDK_VERSION}" - fi - head=`git --git-dir=${S}/.git rev-parse --verify --short HEAD 2> /dev/null` - printf "%s%s%s" $sdkversion +g $head > ${B}/.scmversion - fi -} - -# make everything compatible for the time being -COMPATIBLE_MACHINE_$MACHINE = "$MACHINE" diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb new file mode 100644 index 0000000..87eebbc --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb @@ -0,0 +1,56 @@ +inherit kernel kernel-arch qoriq_build_64bit_kernel +require recipes-kernel/linux/linux-dtb.inc + +DESCRIPTION = "Linux kernel for Freescale platforms" +SECTION = "kernel" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" + +SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v2.0.x \ + file://modify-defconfig-t1040-nr-cpus.patch \ + file://fix-the-compile-issue-under-gcc6.patch \ +" +SRCREV = "bd51baffc04ecc73f933aee1c3a37c8b44b889a7" + +KSRC ?= "" +S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}' + +DEPENDS_append = " libgcc" +# not put Images into /boot of rootfs, install kernel-image if needed +RDEPENDS_kernel-base = "" + +KERNEL_CC_append = " ${TOOLCHAIN_OPTIONS}" +KERNEL_LD_append = " ${TOOLCHAIN_OPTIONS}" + +SCMVERSION ?= "y" +DELTA_KERNEL_DEFCONFIG ?= "" +do_configure_prepend() { + # copy desired defconfig so we pick it up for the real kernel_do_configure + cp ${KERNEL_DEFCONFIG} ${B}/.config + + # add config fragments + for deltacfg in ${DELTA_KERNEL_DEFCONFIG}; do + if [ -f "${deltacfg}" ]; then + ${S}/scripts/kconfig/merge_config.sh -m .config ${deltacfg} + elif [ -f "${WORKDIR}/${deltacfg}" ]; then + ${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg} + elif [ -f "${S}/arch/${ARCH}/configs/${deltacfg}" ]; then + ${S}/scripts/kconfig/merge_config.sh -m .config \ + ${S}/arch/${ARCH}/configs/${deltacfg} + fi + done + + #add git revision to the local version + if [ "${SCMVERSION}" = "y" ]; then + # append sdk version if SDK_VERSION is defined + sdkversion='' + if [ -n "${SDK_VERSION}" ]; then + sdkversion="-${SDK_VERSION}" + fi + head=`git --git-dir=${S}/.git rev-parse --verify --short HEAD 2> /dev/null` + printf "%s%s%s" $sdkversion +g $head > ${B}/.scmversion + fi +} + +# make everything compatible for the time being +COMPATIBLE_MACHINE_$MACHINE = "$MACHINE" -- cgit v1.2.3-54-g00ecf